In the five months Gary Min was stealing US$400 million (NZ$558 million) worth of proprietary information from a DuPont company database, he downloaded and accessed more than 15 times as many documents as the next-highest user of the system. But he wasn’t caught until after he left the company for a rival firm.
Min pleaded guilty in November to misappropriating the data and is scheduled to be sentenced on 29 March. His case is only the latest to highlight a lack of internal controls for dealing with insider threats at many companies. In February 2006, a cell development technologist at battery maker Duracell admitted to stealing research related to the company’s AA batteries, emailing the information to his home computer, and then sending it to two Duracell rivals.
Dealing with such issues can be challenging, especially in large corporations, says Tom Bowers, former manager of information security operations for the global security division of Wyeth Pharmaceuticals.
“I am not at all surprised” about what happened at DuPont, says Bowers, who is now managing director at Security Constructs, a Pennsylvania-based consultancy. “When you have a huge multinational like that, your security department is never really going to fully have any realistic idea of where or how the information is flowing,” he says.
But there are ways to mitigate some of the risks and help companies better track what’s going on inside the firewall, according to security analysts. Experts advise taking the following steps:
1. Get a handle on the data. It’s impossible to put controls on sensitive and proprietary information on your network if you don’t even know where that data is. An organisation’s sensitive data is widely distributed throughout its corporate network, according to Eric Ogren, an analyst at Enterprise Strategy Group, in Massachusetts. Important data resides not just in databases but in email messages, on individual PCs and as data objects in web portals. Sensitive information also comes in many forms. And trade secrets can be found in many types of documents and files, Ogren says.
Implementing one set of controls for all data types can be inefficient and impractical. Instead, categorise data and choose the most appropriate set of controls for each data class. There are a growing number of tools available from vendors such as Reconnex, Tablus and Websense that are capable of automatically scanning company networks and identifying sensitive data where it resides. Many of the same tools can be used to separate data into different categories based on policies defined by a company.
2. Monitor content in motion. As companies web-enable their business and link-up with networks belonging to partners, suppliers and customers, it is vital to keep track of what’s flowing over your networks. Content monitoring was a core “foundation piece” for Wyeth’s data protection strategy, Bowers says. With so many network “egress points” through which data can flow out, it is vital to be able to monitor network traffic, he says. Vendors such as Vericept, Vontu, Oakley Networks, Reconnex and Websense all sell products that can inspect email, instant messages, P2P file sharing systems, web postings and FTP sites for data that may be exiting a company network in violation of policies. The tools sit near network gateways and are designed to issue alerts when they come across suspicious data packets. Many of the products can also be used to enforce actions such as blocking data or encrypting it when it leaves the network.
Such tools allowed Wyeth to “look at everything coming in and going out of our networks,” Bowers says.
3. Keep an eye on databases, which can contain a company’s crown jewels. You should know not only who’s accessing them, but also when, where, how and why they’re doing so. Several database activity monitoring tools are available. These products are designed to allow companies to monitor database access and activities. Such products are designed to keep an eye on what users and administrators are doing with their access privileges and either prevent certain actions — such as modifying, copying, deleting or downloading large sets of files — or send out alerts when someone attempts one of those actions. They also can provide clear audit trails that track when people try to act outside of corporate policy. Encrypting sensitive data in databases is another measure companies should consider if they haven’t done so already.
4. Limit user privileges. Most companies give their employees far more access than they need to do their jobs, says Amichai Shulman, chief technology officer at data security provider Imperva. Monitoring user access to mission-critical information and detecting unauthorised access to high-risk data are key capabilities companies need to consider putting in place. Create access policies that limit users’ network privileges strictly to what is required for their jobs, and put in place controls for enforcing those policies, Shulman says. For instance, have controls that issue alerts when someone who might normally work with about 10 documents a day suddenly starts accessing a lot more, he says.
Making access control decisions on an “insider versus outsider” basis is overly simplistic, says Matt Kesner, chief technology officer at Fenwick and West. Sometimes, an outsider may legitimately need equal or even more access to internal assets than an insider would.
5. Cover those endpoints. The proliferation of portable devices such as laptops and PDAs, and removable media such as USB memory sticks and iPods, make it easier than ever for rogue insiders to walk away with gobs of corporate data. Companies need to think about measures for controlling and monitoring what devices can be attached to corporate networks and what data can be downloaded, uploaded and stored on them. This can be hard, but several tools are available that promise to make the task easier.
“When it comes right down to it, very few companies have put in place effective controls that enable them to monitor internal systems closely and allow them to follow the movement of data” on their networks, says Alex Bakman, CEO of Ecora Software.